WhatsApp Web Client Privacy Bug Puts Your Private Photos At Huge Risk

WhatsApp, now owned by Facebook, is the most-used cross-platform IM app going, and since the acquisition last year, has been the subject to a number of changes and improvements. Towards to the tail-end of last month, for example, a WhatsApp Web Client was launched, and although it could do with a few feature enhancements, is pretty functional for a version 1.0. Now, though, it has emerged that the WhatsApp Web Client has brought a new privacy concern, with syncing issues between the app and the Web Client seemingly exposing users’ personal pictures.

After the major iCloud hack that occurred in the run-up to last September, users are more wary of where they store their photos, but while companies dealing with such software have been quick to shore up security, one researcher has found a potentially significant oversight in WhatsApp’s infrastructure.

Security expert Indrajeet Bhuyan notes that because the WhatsApp app doesn’t sync seamlessly with the Web interface, users are vulnerable to having their profile photos snooped at by strangers, and while this isn’t as much a cause for alarm as if, say, private images were exposed, it’s still a major PR fail on WhatsApp’s part.

As most WhatsApp users will know, there’s a feature within the security settings that allows profile photos to be kept hidden from unapproved users, but this newly-exposed bug essentially undermines this option. While WhatsApp has striven to keep things tight in regards to security with such features as end-to-end encryption, this does not make for particularly happy reading, and despite the relatively low-key nature of the flaw, let’s hope it’s amended sooner rather than later.

As somebody that uses WhatsApp almost constantly, I was personally rather disappointed with the Web Client, which isn’t something I’ve been in a rush to re-use after testing it out upon launch. As I say, though, it’s still very early doors, and with further updates, should find a home on the Web as it has mobile devices.

This isn’t iCloud hack mk. II, by any stretch of the imagination, but since WhatsApp does offer the ability for users to obscure profile pictures from non-contacts, it would make sense for the company to honor this.

We’ll keep you updated on any further developments on this matter, so stay tuned!

Related Stories

bitorrent sync with unique and very long paraphrase would avoid this… I sync with a folder on my home computer whenever I have Wifi- it watches my ‘photos’ folders on my android device. My home computer is then ‘synced’ to a folder on an external encrypted hard-drive that is read-only Bitorrent sync… so it only ‘updates’ one-way. Personal, encrypted, secure ‘cloud’.